package com.gitblit.utils;

import com.gitblit.utils.PasswordHash;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/gitblit/utils/PasswordHashPbkdf2.class */
public class PasswordHashPbkdf2 extends PasswordHash {
    private static final Logger LOGGER = LoggerFactory.getLogger(PasswordHashPbkdf2.class);
    private static final SecureRandom RANDOM = new SecureRandom();
    private static final Configuration[] configurations = {new Configuration("PBKDF2WithHmacSHA256", 10000, JnaUtils.S_IRUSR, 32)};

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/gitblit/utils/PasswordHashPbkdf2$Configuration.class */
    public static class Configuration {
        private final String algorithm;
        private final int iterations;
        private final int keyLen;
        private final int saltLen;

        private Configuration(String str, int i, int i2, int i3) {
            this.algorithm = str;
            this.iterations = i;
            this.keyLen = i2;
            this.saltLen = i3;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PasswordHashPbkdf2() {
        super(PasswordHash.Type.PBKDF2);
    }

    @Override // com.gitblit.utils.PasswordHash
    public String toHashedEntry(char[] cArr, String str) {
        if (cArr == null) {
            LOGGER.warn("The password argument may not be null when hashing a password.");
            throw new IllegalArgumentException("The password argument may not be null when hashing a password.");
        }
        int latestConfigurationId = getLatestConfigurationId();
        Configuration configuration = configurations[latestConfigurationId];
        byte[] bArr = new byte[configuration.saltLen];
        RANDOM.nextBytes(bArr);
        return this.type.name() + ":$" + latestConfigurationId + "$" + StringUtils.toHex(bArr) + StringUtils.toHex(hash(cArr, bArr, configuration));
    }

    @Override // com.gitblit.utils.PasswordHash
    public boolean matches(String str, char[] cArr, String str2) {
        if (str == null || this.type != PasswordHash.getEntryType(str) || cArr == null) {
            return false;
        }
        String entryValue = getEntryValue(str);
        return isPasswordCorrect(cArr, entryValue, configurations[getConfigIdFromStoredPassword(entryValue)]);
    }

    private int getLatestConfigurationId() {
        return configurations.length - 1;
    }

    private static int getConfigIdFromStoredPassword(String str) {
        String[] split = str.split("\\$", 3);
        if (split.length <= 2) {
            return 0;
        }
        try {
            int parseInt = Integer.parseInt(split[1]);
            if (parseInt >= 0 && parseInt < configurations.length) {
                return parseInt;
            }
            LOGGER.warn("A user table password entry contains a configuration id that is not valid: {}.Assuming PBKDF configuration 0. This may fail to validate the password.", Integer.valueOf(parseInt));
            return 0;
        } catch (NumberFormatException e) {
            LOGGER.warn("A user table password entry contains a configuration id that is not a parsable number ({}${}$...).Assuming PBKDF configuration 0. This may fail to validate the password.", new Object[]{split[0], split[1], e});
            return 0;
        }
    }

    private static byte[] hash(char[] cArr, byte[] bArr, Configuration configuration) {
        PBEKeySpec pBEKeySpec = new PBEKeySpec(cArr, bArr, configuration.iterations, configuration.keyLen);
        Arrays.fill(cArr, (char) 0);
        try {
            try {
                byte[] encoded = SecretKeyFactory.getInstance(configuration.algorithm).generateSecret(pBEKeySpec).getEncoded();
                pBEKeySpec.clearPassword();
                return encoded;
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                LOGGER.warn("Error while hashing password.", e);
                throw new IllegalStateException("Error while hashing password", e);
            }
        } catch (Throwable th) {
            pBEKeySpec.clearPassword();
            throw th;
        }
    }

    private static boolean isPasswordCorrect(char[] cArr, byte[] bArr, byte[] bArr2, Configuration configuration) {
        byte[] hash = hash(cArr, bArr, configuration);
        Arrays.fill(cArr, (char) 0);
        if (hash.length != bArr2.length) {
            return false;
        }
        for (int i = 0; i < hash.length; i++) {
            if (hash[i] != bArr2[i]) {
                return false;
            }
        }
        return true;
    }

    private static byte[] getSaltFromStoredPassword(String str, Configuration configuration) {
        return Arrays.copyOfRange(getStoredHashWithStrippedPrefix(str), 0, configuration.saltLen);
    }

    private static byte[] getHashFromStoredPassword(String str, Configuration configuration) {
        byte[] storedHashWithStrippedPrefix = getStoredHashWithStrippedPrefix(str);
        return Arrays.copyOfRange(storedHashWithStrippedPrefix, configuration.saltLen, storedHashWithStrippedPrefix.length);
    }

    private static byte[] getStoredHashWithStrippedPrefix(String str) {
        String[] split = str.split("\\$", 3);
        try {
            return Hex.decodeHex(split[split.length - 1].toCharArray());
        } catch (DecoderException e) {
            LOGGER.warn("Failed to decode stored password entry from hex to string.", e);
            throw new IllegalStateException("Error while reading stored credentials", e);
        }
    }

    private static boolean isPasswordCorrect(char[] cArr, String str, Configuration configuration) {
        return isPasswordCorrect(cArr, getSaltFromStoredPassword(str, configuration), getHashFromStoredPassword(str, configuration), configuration);
    }
}
